PRO-3300.04: Network Firewall Change Requests

Procedure Summary

Intended Audience: IT Personnel

Procedure Owner: Director of Enterprise Infrastructure Services (EIS)

Western Washington University uses Network Firewalls to prevent IT systems outside of Western from accessing the Western network. Network Firewalls also secure access between different IT systems within the Western network.

IT personnel may request changes to Network Firewalls to allow or restrict access between specific systems or networks. Requests must be made in advance via electronic form, and reviewed and approved by the Information Security Office before being implemented.

Emergency requests for firewall changes, to address urgent service outages or issues, may be made via a Jira Service Desk (Help Desk) ticket, or—for ITS personnel only—by contacting the Firewall Administrator directly.

 

For the complete procedure, click "Full Document" tab at top of page.

To request a firewall change, please go to Firewall Change Request form

Full Document

Intended Audience: IT Personnel

Procedure Owner: Director of Enterprise Infrastructure Services (EIS)

1. Definitions

Network Firewall

An ITS-administered network device that restricts access to or from certain IP addresses or networks.

Firewall Administrator 

An ITS employee, designated by the Director of EIS, to have access and responsibility for the configuration and maintenance of Network Firewalls.

Firewall Change Request

A form or other process for IT personnel to request changes to the access control lists of a Network Firewall, to permit or deny network traffic between specific hosts or networks.

 

2. Methods of Requesting Firewall Changes

Firewall change requests will be initiated in one of three ways

  1. Electronic form
  2. Jira Service Desk ticket (for troubleshooting purposes or in response to a service outage)
  3. Direct request made to Firewall Administrator. (Note: This option is only available to ITS personnel, and should be reserved for urgent requests only.)

If the firewall change request is made via Jira ticket or direct request, the original requestor or Firewall Administrator must document the change after the fact via the electronic form.

All Firewall Change Requests must be documented via electronic form however, the Director of Enterprise Infrastructure Services may preauthorize Firewall Administrators to perform certain maintenance and operational tasks without having to document the changes in an electronic form.

3. Routing and Approving Firewall Change Requests

Firewall Change Request electronic forms must include the following information.

3.1 Functional Requirements for Approval

  • Requestor Name, Department, and Contact Information.
  • Physical location of the systems or networks for which the Firewall Change Request applies.
  • The Hostnames and IP Addresses of the systems.
  • The purpose of the access request.
  • The specific inbound and outbound IP addresses and/or ports, applications and/or protocols, and/or user identities to allow or block on the firewall. Examples include:
  • Open HTTPS inbound from the internet to a single IP address.
  • Block all access from Western’s wireless network inbound to specific range of IP address.
  • Grant a specific user SSH access to a hostname from off-campus.
  • Allow a specific IP address to join the domain and connect to DNS/NTP servers.

3.2 Information Security Requirements for Approval

  • Confirmation that the servers, workstations, or other IT systems in the scope of the Firewall Request are enrolled in an endpoint management solution approved and managed by ITS.
  • Description of any security baseline that has been applied to the system (CIS, STIG, MS, etc.).
  • Attestation that the Information Security Office has performed an authenticated scan of the system, provided a vulnerability assessment to the system owner, and that the system owner has provided sufficient remediation or mitigation of the assessed vulnerabilities.;
  • Authorization for the Information Security Office to conduct periodic authenticated vulnerability scans of the system, and acknowledgement that the requestor may be required to remediate detected vulnerabilities.
  • Attestation that the system will comply with POL-U3000.070: Securing Information Systems.
  • A description of any PII, FERPA, health or other confidential data stored on the system

3.3 Approval Routing

The form will route for approval as follows:

  • Department Head of department making request (non-ITS departments only)
  • Information Security Office.
  • Firewall Administrator.

4. Auditing Firewall Change Requests

The Information Security Office will maintain a record of all firewall change requests submitted via electronic form.

Requests will be audited annually to determine if the allowance is still necessary.

The Information Security Office will inform Firewall Administrators of any existing allowances that are no longer necessary and should be removed.

Firewall Administrators will periodically review the list of preauthorized maintenance and operational tasks for accuracy and completeness; requests for changes will be submitted to the Director of Enterprise Infrastructure Services.

5. Authority

  1. POL-U3000.070: Securing Information Systems
  2. POL-U3000.04: Computer Use – Responsible Computing
  3. WA State Office of the CIO (OCIO) Standard No. 141.10: Securing Information Technology Assets

Change Log

Revised Version Author Approver Change
03/26/2021 1.0 Chris Miller ITS Standards & Guidelines Committee Original Version